Scada Trojans Ruben Rootedcon

8/3/2019 Scada Trojans Ruben Rootedcon

1/55

SCADA TROJANSCADA TROJANS

ATTACKING THE GRIDTTACKING THE GRIDRUBEN SANTAMARTAUBEN SANTAMARTA


2/55

What are we going to talk about?What are we going to talk about?

SCADA / EMS

TROJANS

ATTACKS VECTORS

REVERSE ENGINEERING

ELECTRICAL ENERGY SYSTEM


3/55

THEORY


4/55

1. SCADA1. SCADA

Supervisory Control And Data AcquisitionSupervisory Control And Data Acquisition(Supervisin, Control y Adquisicin de Datos).(Supervisin, Control y Adquisicin de Datos).

PROTOCOLS

FIELD DEVICES

PLC/RTU/IED

HMI / SCADA SERVER


5/55

2.Electrical Energy System I2.Electrical Energy System I

Biggest industrial system everBiggest industrial system ever

TRANSFORMER INVENTION WIN!+V -I Transmission over long distances

wikipedia


6/55

2.Electrical Energy System II2.Electrical Energy System II

GenerationGenerationPrimary Source Station Three-Phase AC Generator

Step up Transformer Transmission lines

GG

NuclearHydroelectricPhotovoltaic/WindBiomass...


7/55

2.Electrical Energy System III2.Electrical Energy System III

TransmissionTransmission

Power LinesPower Lines SubstationsSubstations


8/55

2.Electrical Energy System IV2.Electrical Energy System IV

Transmission Substations ITransmission Substations I

RUNNING METASPLOIT AGAINST A SUBST. :)


9/55

2.Electrical Energy System IV2.Electrical Energy System IV

Transmission Substations IITransmission Substations IIA Substation is a place where we can found Interconnection buses for lines Step down transformers

Measurement, protection, interruption and dispatch equipment Disconnect Switches Load Break Switches Circuit Switchers Power Fuses Circuit Breakers

Types of Substations Transmission Distribution Collector Switching


10/55

2.Electrical Energy System V2.Electrical Energy System V

Transmission Substation Automation ITransmission Substation Automation I

Process Level (Breakers,Switchers,Transformers...)

Bay Level ( IEDs, Protection Devices...)

Station Level ( LAN, Concentrator,Additional devices...)

HMI Level ( Substation automation software,Server...)

Remote Connection Level ( Routers,Firewalls, Modems...)


11/55


Transmission Substation Automation IITransmission Substation Automation II

Substation Equipment (Breakers,Switchers,Transformers...)

EMS/CC

Bay

Station

HMI

Bay

Remote

Process


12/55


Transmission Substation Automation IIITransmission Substation Automation III HMI One-line diagrams


13/55


14/55

Transmission Substation Automation IVTransmission Substation Automation IV


Protocols DNP3 Modbus

IEC 60870-5-10(1,3,4) IEC 61850 ICCP OPC RS-232/485 UCA2 MMS Vendor specific Harris Westinhouse ABB ...


15/55


DistributionDistribution

www.mrsite.com


16/55

3. EMS / SCADA3. EMS / SCADA

ENERGY MANAGEMENT SYSTEMS IENERGY MANAGEMENT SYSTEMS I

Monitoring Coordinating Controlling

Computer based tools for...

Generation Transmission Distribution

DECISSION SUPPORT TO OPERATORSKEY CONCEPT:KEY CONCEPT:


17/55

2. EMS / SCADA I2. EMS / SCADA IENERGY MANAGEMENT SYSTEMS IIENERGY MANAGEMENT SYSTEMS II

Substation

PowerPlant

IEDsRTUs

FRONT-

ENDs

FRONT-ENDSCADA

CONTROLCENTER

CC


18/55


19/55


ENERGY MANAGEMENT SYSTEMS IIIENERGY MANAGEMENT SYSTEMS III

SCADAFRONT

END

DataAcquisition

SupervisoryControl

LOAD MANAGEMENT

ENERGY MANAGEMENT

AUTO. GEN.CONTROL

SECURITY CONTROL


20/55


ENERGY MANAGEMENT SYSTEMS IIIENERGY MANAGEMENT SYSTEMS III

SECURITY CONTROL

DETERMINE THE STATE OF THE SYSTEM

THE SYSTEM MUST SURVIVE IN ANY CASE

PROCESS CONTINGENCIES

DETERMINE PROPER ACTIONS


21/55


ENERGY MANAGEMENT SYSTEMS IVENERGY MANAGEMENT SYSTEMS IV

SECURITY CONTROL FUNCTIONS

STATE ESTIMATOR

TOPOLOGY PROCESSOR

POWER FLOW

OPTIMAL POWER FLOW

SECURITY ENHACEMENT

BUS LOAD FORECASTING

CONTINGENCY ANALYSIS

. . .


22/55

PRACTICE


23/55

4.SCADA TROJANS I4.SCADA TROJANS I

YOU'RE NOT A TARGET

SPONSORED BY STATES,

LARGE CORPORATIONS AND/OR 4CHAN

TWO-STAGE TROJANS

AUTONOMOUS AGENTS

INTELLIGENCE INSIDE... AND OUTSIDE


24/55

4.SCADA TROJANS II4.SCADA TROJANS II

YOU NEED TO P0WN THE RIGHT PEOPLE

OBTAIN NEEDED INFO

REPLICATE THE TARGET

YOU CAN USE MONEY,TECHNOLOGYOR BOTH

SOME DAY, SOMEWHERE THE 2nd STAGEWILL BE TRIGGERED

DEPLOYMENT


25/55

4.SCADA TROJANS III4.SCADA TROJANS III

ATTACK VECTORSATTACK VECTORS

HARDWARE

SOFTWARE

PEOPLE


26/55

4.SCADA TROJANS IV4.SCADA TROJANS IV

CONTEXTCONTEXT

RUBENHISTAN

TWO LITTLE COUNTRIES IN CONFLICTTWO LITTLE COUNTRIES IN CONFLICT

REGGAETONIA

REGGAETONIA PLANS TO HOLD THEBIGGEST REGGAETON FESTIVAL EVER.

RUBENHISTAN IS DETERMINED TO STOP IT.

Tiramis Gasolinia


27/55

4.SCADA TROJANS V4.SCADA TROJANS VOPERATION SNOW-HAMSOPERATION SNOW-HAMS

RUBENHISTAN's Secret Service maintains a listof companies that operate Reguetonia's facilities.

RUBENHISTAN's Secret Service also consults publicopen source intelligence sources as a city's urbanplanning to determine substations coverage.

RUBENHISTAN's Secret Service launches aTargeted attack against the operators who controla key substation and even the Reguetonia's EMS

LET'S SEE HOW TO PROCEEDLET'S SEE HOW TO PROCEED


28/55

4.SCADA TROJANS VI4.SCADA TROJANS VIP0WNING THE SUBSTATION IP0WNING THE SUBSTATION I

It's known the company who operates the SubStationimplements a HMI client/server software from Advantech.

Advantech WebAccess

PURE FICTIONPURE FICTION
http://www.advantech.com.tw/products/Advantech-WebAccess/mod_B975C492-56B3-4EBA-8BBB-5B6D3483EE9D.aspxhttp://www.advantech.com.tw/products/Advantech-WebAccess/mod_B975C492-56B3-4EBA-8BBB-5B6D3483EE9D.aspx


29/55


30/55

c:\windows\system32\bwocxrun.ocx [WebAccess Client]Implements IObjectSafety: TrueIDisp Safe: Safe for untrusted: caller,dataIPersist Safe: Safe for untrusted: caller,dataIPStorage Safe: Safe for untrusted: caller,data

4.SCADA TROJANS VI4.SCADA TROJANS VIP0WNING THE SUBSTATION IIP0WNING THE SUBSTATION II


31/55

4.SCADA TROJANS VI4.SCADA TROJANS VIP0WNING THE SUBSTATION IIIP0WNING THE SUBSTATION III

After enticing one of the operators into visiting a speciallycrafted web, our bwocxrun.ocx exploit worked. We landed.

Time to map the Substation network.

At Bay level we find CSE-Semaphore RTUs/IEDs

http://www.cse-semaphore.com/


32/55

TBOX LITE 200 - Ethernet

2 counters (I) 6 Analog (I) 4/20mA

8 digital (I/O) 2 Temperature (I) 4 relays 230 V ac 3A(O)EMBEDDED HTTP Server, FTP, SNMP, EMAIL ...

DNP3,IEC 60870-5

MODBUS...+40 Drivers

http://www.cse-semaphore.com/pdf/brochure_T-BOX-Lite.pdf


33/55

4.SCADA TROJANS VI4.SCADA TROJANS VIP0WNING THE SUBSTATION IVP0WNING THE SUBSTATION IV

TVIEW

LadderLogic

Basic

COMPILER

SECURITYMODBUS: (Optional)ACCESS CODE- 4 Hexa Chars.HTTP AUTH (Optional)CUSTOM PASSWORD PROTECTION VIA SOURCE CODE


34/55

4.SCADA TROJANS VI4.SCADA TROJANS VIP0WNING THE SUBSTATION VP0WNING THE SUBSTATION V

IP

HEY, I'M HERE TO POWN YOU

OK, BUT FIRST INSTALL THIS ACTIVEX

OK, DONE.

OK, BUT FIRST INSTALL THIS ACTIVEX

COOL. DOWNLOAD THESE .TWF FILES


35/55

4.SCADA TROJANS VI4.SCADA TROJANS VIP0WNING THE SUBSTATION VIP0WNING THE SUBSTATION VI

TWF FILES Compressed Contains code compiled by the original programmer VBasic Script code executed by vbscript.dll Propietary Format. Parsed by WebFormParser.dll Contains fixed classes CStationList CTagList CTag...

Inside the TWF, each CTag entry contains its name, MODBUSaddress and length.


36/55

4.SCADA TROJANS VI4.SCADA TROJANS VIP0WNING THE SUBSTATION VIIP0WNING THE SUBSTATION VII

HEY, TCOMM.DLL USES MODBUS AGAINST YOU

THAT'S RIGHT. IT'S HOW YOU CAN

INTERACT WITH ME

HEY, TCOMM.DLL USES MODBUS AGAINST YOU

THAT'S RIGHT. IT'S HOW YOU CAN

INTERACT WITH ME

MMM, BASIC CODE IS COMPILED AND EXECUTEDAT CLIENT-SIDE, EVEN AUTH ROUTINES!

WHAT IS CLIENT-SIDE?


37/55

4.SCADA TROJANS VI4.SCADA TROJANS VIP0WNING THE SUBSTATION VIIIP0WNING THE SUBSTATION VIII

Break onBreak on vbscript!COleScript::Compilevbscript!COleScript::Compile to modifyto modify

TWF's basic code before being compiledTWF's basic code before being compiled.

REAL EXAMPLE

If txt_Password.Text Dlb_SMSPassword.Value Ortxt_password.text = "" Then

msgbox "The Password is incorrect!!" & vbCrlf & "Apassord is ...." & vbCrlf & "Contact your local distributor toget the password.",Vbexclamation,"Password"

Exit SubEnd If

CHANGE BY = ... WE ARE IN!


38/55

P0WNING THE SUBSTATION IXP0WNING THE SUBSTATION IX

YOU REALIZE EVERYONE CAN SEND YOURAW MODBUS REQUESTS?

DON'T BE EVIL!

4.SCADA TROJANS VI4.SCADA TROJANS VI

Tcomm.dll


39/55

4.SCADA TROJANS VI4.SCADA TROJANS VIP0WNING THE SUBSTATION XP0WNING THE SUBSTATION X

We are already controlling Bay Level and Station LevelHowever, still needed a vector to the EMS

SCADA Front-End + Network Service ( webvrpcs.exe )

MIDA.plw + MIDL.exe + Opcode 0x00 + others...

void sub_401000( /* [in] */ handle_t arg_1, /* [in] */long arg_2, /* [in] */long arg_3,

/* [in] */long arg_4, /* [size_is][ref][in] */unsignedchar*arg_5, /* [in] */long arg_6, /* [size_is][ref][out] */unsignedchar*arg_7, /* [ref][out] */long *arg_8)


40/55

4.SCADA TROJANS VI4.SCADA TROJANS VIP0WNING THE SUBSTATION XIP0WNING THE SUBSTATION XI

webvrpcs.exe port 4592

LANDED!


41/55

4.SCADA TROJANS VII4.SCADA TROJANS VIIRecallingRecalling

Station/Operator p0wned via bwocxrun.ocx0day

Bay Level p0wned via TBOX flawed logic0day

SCADA Front-End p0wned viawebvrpcs.exe RPC 0day

3 0days! Almost Stuxnet! ;)


42/55

ALL AT ONCE


43/55

4.SCADA TROJANS VIII4.SCADA TROJANS VIIITHE 2THE 2

ndndSTAGE ISTAGE I

We deploy an autonomous agent to attackthe State Estimator.

Its goal is generating unexpected contingencies,which may end up causing a blackout.

Operators will deal with fake results. Onlyin memory. Everything else is correct.

The entire EMS is no longer operatingwithin a secure state.


44/55


ndndSTAGE IISTAGE II

Dynamic data Static DataStates

Measurements

Topology

ProcessorPrefiltering

StateEstimation

ErrorDetection

ErrorIdentification

Observabilityanalysis

Estimated state Errors

Nonobservable zones

HMI


45/55


ndndSTAGE IIISTAGE III

Why an State Estimator?

Flows real + reactiveInjections real + reactiveVoltageCurrent

Virtual MeasurementsPseudomeasurements


46/55

We can describe previous measurements as a function of the system states.h

iare nonlinear.


ndndSTAGE IVSTAGE IV


47/55


ndndSTAGE VSTAGE V

Given the state vector The following hi(x) are used

Injections

Flows


48/55


ndndSTAGE VISTAGE VI

z = h(x) and r = z z^ ^ ^ ^

...

WLS ALGORITHM

4 SCADA TROJANS VIII


49/55


ndndSTAGE VIISTAGE VII

WLS BASED S.E ALGORITHM (Weighted Least Squares )

1.1.Initialize the state vectorx =x0 with the flat voltage profile (V

i=1 pu,

i=0) and the

iteration counter (k=0).

2.2. Compute the measurement residuals r=zh(xk).

3.3. ObtainHand G=HTWH.

4.4. Solve the linear system: xk=G-1HTW r

5.5. Update the state vector (xk+1 =xk+xk) and the iteration counter (k=k+1).

6.6. If any of the elements ofx exceeds the specified convergence threshold then return tostep 2. Otherwise, stop.

4 SCADA TROJANS VIII4 SCADA TROJANS VIII


50/55


ndndSTAGE VIIISTAGE VIII

Our trojan must be triggered during the WLSalgorithm. So we have to reverse engineering thetarget EMS Software to find out where itperforms the operations we have been seeing.

Due to the complexity of EMS products, we shoulduse tools for differential debugging.

A great/free tool is myNav, implemented as anIDA plugin developed by Joxean Koret.

http://code.google.com/p/mynav/

// Step 6 - WLS Algorithm - Obtain max value fromxk


51/55

for ( dword_61C068[0] = 1; v9 > 0; --v9 ){dbl_61BFC8 = fabs(*(double *)&dword_61C6A8[2 * dword_61C068[0]]);

if ( dbl_61BFC8 > dbl_61BFD0 ){dbl_61BFD0 = dbl_61BFC8;dword_61C030 = dword_61C068[0];

}++dword_61C068[0];

}v3 = dbl_61BFD0;

if ( dbl_61BFD0 < dbl_937300[0] ) //Max val fromxk < Tolerance{dword_61C02C = 1;v43 = 0;gotoNo_More_iters;

}++dword_94EDF4;--g_K; // iterationsif ( g_K


52/55

http://www.ece.neu.edu/~abur/pet.html

TRY IT YOURSELF. PET

5 SCADA TROJANS IX5 SCADA TROJANS IX


53/55

5.SCADA TROJANS IX5.SCADA TROJANS IXMISSION COMPLETEDMISSION COMPLETED

After the successful attack, Reggaetonia sufferedrandom blackouts for months till its own people,tired of the situation, assaulted the institutions.

Every attempt to contract a considerable amountof MW for reggaeton festivals, ended up in anpartial blackout.

RUBENHISTAN WINS.

6 CONCLUSIONS6 CONCLUSIONS


54/55

6.CONCLUSIONS6.CONCLUSIONSTrojans designed for SCADA environments,

should do their job stealthly,quietly... lettingoperators think still can trust theirHMI/equipment.

Trojans designed for SCADA environments,

should do their job stealthly,quietly... lettingoperators think still can trust theirHMI/equipment.

Combined attacks against State Estimators give

you 100% success guaranteed. In the near future,a massive adoption of PMU could set a point ofinflection.

False data injection, nowadays, is more anacademic attack than a real world attack IMHO.

We have presented a general attack against SE.


55/55

HACK THE PLANET

TAKE YOUR MW!

RUBEN SANTAMARTAUBEN SANTAMARTA@reversemodereversemode

Documents

Scada Trojans Ruben Rootedcon